So the way it is at the moment as the haproxy template is very simplistic every service will be exposed to the outside as service-name.example.com via the elb using the port 80 both the elb and the haproxies. Could create another "haproxy fronted" bound to a different port (e.g 1234) so no accessible from the outside and populate the backends according to consul tags, then in the bastion put in place a solution for resolving your chosen “haproxy_internal_domain” to a given slave so your interal services would be available in the bastion VPN via “app.haproxy_internal_domain:1234”. Other possibilty would be to expose a given weave subnetwork to the bastion so all the internal services would be accesible via consul DNS as in your case like *.service.consul. We are pending on https://github.com/weaveworks/weave/issues/117#issuecomment-124075671 so we can be more granular at the time of creating weave subnets.
So the way it is at the moment as the haproxy template is very simplistic every service will be exposed to the outside as service-name.example.com via the elb using the port 80 both the elb and the haproxies. Could create another "haproxy fronted" bound to a different port (e.g 1234) so no accessible from the outside and populate the backends according to consul tags, then in the bastion put in place a solution for resolving your chosen “haproxy_internal_domain” to a given slave so your interal services would be available in the bastion VPN via “app.haproxy_internal_domain:1234”. Other possibilty would be to expose a given weave subnetwork to the bastion so all the internal services would be accesible via consul DNS as in your case like *.service.consul. We are pending on https://github.com/weaveworks/weave/issues/117#issuecomment-124075671 so we can be more granular at the time of creating weave subnets.